Secure userspace networking for guests

1. A system comprising: a memory associated with a guest configured to execute on a virtual machine, wherein the virtual machine includes a virtual device and a plurality of unprivileged components including a first unprivileged component of the guest; and a hypervisor associated with the guest executing on one or more processors to: map a first queue associated with the virtual device to a first address space identifier of a plurality of address space identifiers, wherein each of the plurality of address space identifiers respectively identifies at least one memory address allocated as a respective workload queue, and each respective workload queue is allocated by the guest as device memory for the virtual device; detect a first request written by the first unprivileged component of the guest into the first queue; locate a first page table associated with the virtual device based on the first address space identifier; and translate the first request with the first page table, wherein translating the first request yields a memory address of a message.

2. The system of claim 1 , wherein a second request to the virtual device lacks association with any address space identifier associated with the virtual device, and a second page table associated with a privileged component of the guest is located by the hypervisor based on at least one of a bus identifier associated with the virtual device, a device identifier of the virtual device, and a function identifier associated with the virtual device.

3. The system of claim 2 , wherein the hypervisor detects the second request based on a memory location associated with the virtual device and unassociated with any address space identifier being accessed.

4. The system of claim 1 , wherein a second request is associated with a second queue associated with a second address space identifier, and the second request is translated with a second page table associated the second address space identifier.

5. The system of claim 4 , wherein a requestor of the second request is restricted from accessing at least one of the first queue and the first page table.

6. The system of claim 1 , wherein translating the first request includes translating a virtual memory address included in the first request into the memory address of the message, and wherein the memory address of the message is associated with the first unprivileged component of the guest.

7. The system of claim 1 , wherein a header of the first queue includes the first address space identifier.

8. The system of claim 1 , wherein a first plurality of queues including the first queue is associated with a plurality of memory locations in the memory associated with the virtual device.

9. The system of claim 8 , wherein the hypervisor locates the first queue based on a memory location of the plurality of memory locations being accessed by a component of the guest.

10. The system of claim 8 , wherein a memory location of the plurality of memory locations is accessed, and the hypervisor validates the accessed memory location as matching a memory location of the first queue.

11. The system of claim 1 , wherein a second queue is mapped to the first address space identifier and associated with the first page table.

12. The system of claim 1 , wherein the first page table is associated with a virtual input output memory management unit.

13. The system of claim 1 , wherein the first request is a request to transmit the message and the virtual device is a virtual network interface.

14. The system of claim 13 , wherein a MAC address of the message is verified before the message is transmitted.

15. The system of claim 13 , wherein the message is tagged with a sender identification tag.

16. The system of claim 1 , wherein the first queue is associated with the first address space identifier based on the hypervisor receiving a notice identifying the first queue based on a queue identifier of the first queue from the guest, wherein the notice includes the first address space identifier.

17. The system of claim 1 , wherein the hypervisor assigns the virtual device a plurality of memory addresses, and a privileged component of the guest associates a first virtual memory address associated with the first unprivileged component of the guest with a first memory address of the plurality of memory addresses.

18. The system of claim 17 , wherein the first unprivileged component accessing the first virtual memory address triggers the first request; and the privileged component accessing a second virtual memory address associated with a second memory address of the plurality of memory addresses triggers a second request translated by a second page table unassociated with any address space identifier.

19. A method comprising: mapping a queue associated with a virtual device to an address space identifier of a plurality of address space identifiers, wherein a virtual machine includes the virtual device and a plurality of unprivileged components including a first unprivileged component of a guest, each of the plurality of address space identifiers respectively identifies at least one memory address allocated as a respective workload queue, and each respective workload queue is allocated by the guest as device memory for the virtual device; detecting, by a hypervisor, a request written by the first unprivileged component of the guest into the queue; locating, by the hypervisor, a page table associated with the virtual device based on the address space identifier; and translating the request with the page table, wherein translating the request yields a memory address of a message.

20. A computer-readable non-transitory storage medium storing executable instructions, which when executed by a computer system, cause the computer system to: map a queue associated with a virtual device to an address space identifier of a plurality of address space identifiers, wherein a virtual machine includes the virtual device and a plurality of unprivileged components including a first unprivileged component of a guest, each of the plurality of address space identifiers respectively identifies at least one memory address allocated as a respective workload queue, and each respective workload queue is allocated by the guest as device memory for the virtual device; detect, by a hypervisor, a request written by the first unprivileged component of the guest into associated with the queue; locate, by the hypervisor, a page table associated with the virtual device based on the address space identifier; and translate the request with the page table, wherein translating the request yields a memory address of a message.